From 8f612f743cbe6f658a32f90e9e452031be2e9f2c Mon Sep 17 00:00:00 2001
From: herrBez <bez.mirko@gmail.com>
Date: Tue, 10 Sep 2019 15:59:49 +0200
Subject: [PATCH] Use config dateField in xpack watcher to determine datefield
 name as in elasticsearch dsl backend

---
 tools/sigma/backends/elasticsearch.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index 297de205..9e287802 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -452,6 +452,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
         tags = sigmaparser.parsedyaml.setdefault("tags", "")
         # Get time frame if exists
         interval = sigmaparser.parsedyaml["detection"].setdefault("timeframe", "30m")
+        dateField = self.sigmaconfig.config.get("dateField", "date")
         
         # creating condition
         indices = sigmaparser.get_logsource().index
@@ -673,7 +674,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
                                             "filter":
                                                 {
                                                     "range":{
-                                                        "timestamp":{
+                                                        dateField:{
                                                             "gte":"now-%s/m"%self.filter_range #filter only for the last x minutes events
                                                             }
                                                         }